Privacy Policy

Effective date: 1st May 2026 Last updated: 1st May 2026

This Privacy Policy describes how Shifu Ventures India Private Limited ("Sana", "we", "us", or "our") collects, uses, stores, shares, and protects information when you use Sana, our meeting and task workspace product available at sana.shifuventures.com (the "Service"). This policy is published by Shifu Ventures India Private Limited and applies specifically to the Sana product. Sana is operated by Shifu Ventures India Private Limited, a company incorporated in India under CIN U74999KA2023PTC170079, with its registered office at #No 230/2, 1st Floor, 15th Cross Road, Near Sampige Road, Malleshwaram, Bangalore, Karnataka, India - 560003.

Please read this policy carefully. By creating an account or otherwise using the Service, you agree to the practices described here. If you do not agree, please do not use the Service.

1. Scope of this policy

This policy applies to information we collect when you:

create or use a Sana account,
connect a third-party service (such as Google Calendar) to Sana,
visit our website at {{sana.shifuventures.com}}, or
otherwise interact with the Service.

This policy does not apply to third-party services you connect to Sana. Those services are governed by their own privacy policies. For example, your use of Google Calendar is governed by Google's Privacy Policy.

Sana may also be made available to your organisation under a custom URL chosen by your organisation (for example, sana.<yourcompany>.com). When this is the case, the Service is still operated by Shifu Ventures India Private Limited and the practices described in this policy apply uniformly.

2. Information we collect

2.1 Information you provide directly

Account information: your name, email address, password, and profile photo if you upload one. Passwords are stored using bcrypt one-way hashing with a per-password salt; we cannot read or recover your password.
Workspace information: the workspace(s) you create or join, your role within them, and any project, section, task, agenda, comment, or note content you add to the Service.
Communications: messages you send to our support team, feedback, and survey responses.

2.2 Information from Google when you connect Google Calendar

When you click "Connect Google Calendar," you are taken through Google's standard OAuth 2.0 consent flow. Sana asks for the following Google OAuth scopes:

Scope

What it lets us access

Why we need it

openid

A unique, stable identifier for your Google account.

To match your Google account to your Sana account on reconnection.

https://www.googleapis.com/auth/userinfo.email

Your primary Google email address.

To match calendar events to the right Sana user (events list attendees by email).

https://www.googleapis.com/auth/userinfo.profile

Your name and profile photo URL on Google.

To display your name on the meetings UI when your Sana profile is incomplete.

https://www.googleapis.com/auth/calendar.events.readonly

Read-only access to events on calendars you own or are subscribed to.

To pull your meetings into Sana so you and other attendees can collaborate on agendas, next steps, and notes.

We do not request write, delete, or admin access to your calendar at this time.

For each calendar event we pull in, we receive and store: the event ID, the iCalUID, the event title, description, start and end times, time zone, location, conferencing link (Google Meet, Zoom, etc.), organizer name and email, attendee names and emails, attendee response statuses, and the cancelled/confirmed status of the event.

We also receive and store OAuth access tokens and refresh tokens issued by Google. These tokens are encrypted at rest using AES-256-GCM authenticated encryption before being written to our database. They are never logged.

2.3 Information collected automatically

When you use the Service we automatically collect:

Log data: your IP address, browser type and version, operating system, the pages you visit on Sana, the time and date of your visits, and similar diagnostic data. Log data is retained for up to 90 days for debugging and security investigation, then deleted.
Cookies and similar technologies: Sana uses a small number of essential cookies, primarily a session cookie that keeps you signed in. We do not use third-party advertising cookies.
Device identifiers where applicable to deliver the Service securely.

3. How we use information

We use the information described above only to:

Provide the Service — sync your calendar events into Sana, display them to you and other attendees who use Sana, and let you collaborate on agendas, next steps, tasks, comments, and notes tied to those meetings.
Authenticate you — sign you in, keep your session active, and re-issue access tokens to Google on your behalf when the existing token is close to expiry.
Operate, maintain, and improve the Service — debug errors, monitor performance, prevent abuse, and improve features that are visible to you.
Communicate with you — respond to support requests, send service-related notices (such as security alerts or material changes to this policy), and, only if you opt in, send product updates.
Comply with legal obligations — respond to lawful requests from public authorities, enforce our Terms of Service, and protect our rights, property, and safety, and that of our users and the public.

We do not use Google user data, nor any data derived from it, for any of the following purposes:

targeted, personalised, retargeted, or interest-based advertising;
selling, transferring, or providing to data brokers, information resellers, advertising networks, or analytics services that monetise user data;
determining credit-worthiness or for lending purposes;
creating, augmenting, or enriching marketing or contact databases;
training or improving generalised AI or machine-learning models, or any AI/ML models that benefit users other than the user who originally provided the data.

Where Sana offers in-product AI features, those features process Google user data only to deliver the requested feature to the requesting user. We do not retain that data outside what is necessary to deliver the feature, and we do not use it to train models that benefit other users or other applications.

We do not make decisions about you using solely automated means that produce legal or similarly significant effects on you.

4. Limited Use of Google user data

Sana's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In plain language, this means:

We only use Google user data to provide or improve features in Sana that are visible to you in the Sana interface.
We do not use Google user data to serve ads, including retargeting, personalised, or interest-based advertising.
We do not sell or transfer Google user data to data brokers, information resellers, or any other party, except as described in Section 5 below.
We do not allow humans to read your Google user data, except: (i) with your specific consent; (ii) where strictly necessary to investigate a security incident or suspected abuse, or for compliance with applicable law; (iii) when the data has been aggregated and anonymised so that it cannot be linked back to you; or (iv) where strictly necessary for internal operations and only after the data has been de-identified or aggregated.

5. How we share information

We do not sell your personal information. We share information only in the limited circumstances described below.

5.1 With other Sana users

When you collaborate inside a Sana workspace, the following becomes visible to other members of that workspace and to other attendees of meetings you share with them:

your name, email, and profile photo;
the meetings you both attend (the Sana row dedupes the same calendar event across all attendees who use Sana);
agenda items, next-step tasks, comments, and notes that you add to a shared meeting.

If you do not want a particular meeting visible to other attendees inside Sana, the only reliable way to prevent that is to not have those attendees on the calendar event in Google.

5.2 With service providers

We work with third-party companies that help us run the Service. These include cloud hosting and database providers, file storage (for image and PDF attachments), email delivery, customer support tooling, and analytics for Service performance. These providers only process information on our instructions, only as needed to deliver their service to us, and are bound by written contracts that require them to keep the information confidential and secure. We do not engage data brokers, information resellers, advertising networks, or any other third party that monetises personal data. A current list of our material sub-processors is available on request to {{team@shifuventures.com}}.

5.3 For legal reasons

We may disclose information if we have a good-faith belief that doing so is required by law, regulation, court order, or other valid legal process; to enforce our Terms of Service; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of Sana, our users, or the public.

5.4 In a corporate transaction

If Sana or substantially all of its assets are involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. Where Google user data is involved, we will obtain your affirmative consent before transferring it, as required by the Google API Services User Data Policy.

5.5 With your consent

We may share information for any other purpose with your explicit consent.

6. How we store and protect your information

We take the security of your information — including all Google user data we receive — seriously, and maintain administrative, technical, and physical safeguards designed to protect it. In particular:

All data is transmitted over TLS (HTTPS).
Account passwords are stored using bcrypt one-way hashing with a per-password salt and a work factor calibrated to current industry guidance. We cannot read or recover your password; password resets are performed by issuing a one-time link to your verified email address.
Google OAuth access tokens, refresh tokens, and any sensitive Google user data we cache are encrypted at rest in our database using AES-256-GCM authenticated encryption. The encryption key is stored separately from the database connection credentials and is rotated periodically.
Access to production systems is limited to a small number of authorised personnel, requires multi-factor authentication, and is logged.
We log access to OAuth integrations to help detect anomalous activity.
We invite security researchers to report vulnerabilities responsibly to {{team@shifuventures.com}}; we acknowledge such reports within 3 working days.

No method of transmission or storage is perfectly secure. While we work hard to protect your information, we cannot guarantee absolute security. If we become aware of a security breach affecting your personal information, we will notify you and the relevant authorities as required by applicable law.

7. Data retention and deletion

We retain personal information only for as long as is necessary for the purposes described in this policy.

Account information is retained for as long as your account is active.
Google user data (calendar events, attendee data) is retained for as long as your Google Calendar integration is connected to Sana, plus a short backup window not exceeding 30 days after disconnection or account deletion.
OAuth tokens are deleted from our active systems immediately when you disconnect Google Calendar from inside Sana, when your account is deleted, or when Google notifies us that the tokens have been revoked. We also call Google's token-revocation endpoint on disconnect so that your authorisation is removed from Google's side as well.
Log data is retained for up to 90 days, then deleted.
Backups are encrypted and rotated on a 30-day cycle. Personal information in backups is overwritten on that cycle.

You can:

Disconnect Google Calendar at any time inside Sana, which deletes your stored tokens and stops further syncs.
Revoke Sana's access from Google directly at https://myaccount.google.com/permissions at any time.
Delete your Sana account by emailing {{team@shifuventures.com}}. Once we receive a verified deletion request, we will delete or de-identify your personal information within 30 days, except where we are required to retain it for legal, tax, accounting, or fraud-prevention reasons.

8. Your rights

Depending on where you live, you may have the following rights with respect to your personal information:

Access — request a copy of the personal information we hold about you.
Correction — ask us to correct inaccurate or incomplete information.
Deletion — ask us to delete your personal information.
Portability — request a copy of certain information in a structured, machine-readable format.
Objection or restriction — object to, or ask us to restrict, certain processing of your information.
Withdrawal of consent — withdraw consent that you have previously given, without affecting the lawfulness of processing already carried out.
Nomination — if you are in India, you may nominate another individual to exercise your rights in the event of your death or incapacity, as provided under the Digital Personal Data Protection Act, 2023.

To exercise any of these rights, email {{team@shifuventures.com}}. We may need to verify your identity before fulfilling the request. We will acknowledge your request within 48 hours and respond substantively within the timelines required by applicable law (typically 30 days).

If you are in the EEA, UK, or Switzerland, you have rights under the GDPR, including the right to lodge a complaint with your local supervisory authority. If you are in India and your concern is not satisfactorily resolved, you may approach the Data Protection Board of India under the Digital Personal Data Protection Act, 2023.

9. International data transfers

Sana is operated from India. If you access the Service from outside India, your information will be transferred to, stored in, and processed in India and other countries where our service providers operate. By using Sana, you consent to such transfers. Where required, we put in place appropriate safeguards (such as standard contractual clauses) to protect your information when it is transferred internationally.

10. Children's privacy

Sana is a workplace product intended for use by adults in a professional context. The Service is not directed to children under 18, and we do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, please contact {{team@shifuventures.com}} and we will take steps to delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

update the "Last updated" date at the top of this page;
notify you by email and/or by an in-product notice at least 14 days before the change takes effect, where reasonably possible; and
if the change affects how we use Google user data, prompt you to consent to the updated policy before we make use of Google user data in the new way.

Your continued use of the Service after the change takes effect constitutes acceptance of the updated policy.

12. Grievance redressal and contact

In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer for handling concerns relating to this Privacy Policy or the processing of your personal information.

Grievance Officer: {{Prateek Sethi}} Email: {{team@shifuventures.com}} Phone: {{9090345232}} Address: Shifu Ventures India Private Limited #No 230/2, 1st Floor, 15th Cross Road Near Sampige Road, Malleshwaram Bangalore, Karnataka, India - 560003

We will acknowledge complaints within 48 hours of receipt and aim to resolve them within 30 days, in line with applicable Indian law. If you do not receive a satisfactory resolution within that period, you may approach the Data Protection Board of India.

For security vulnerability reports, please contact {{team@shifuventures.com}} instead — these are handled separately on a faster track.